Skip to main content

Planning templates for an isolated cloud tenant with Terraform

by Jeff Christman
Senior Consultant, Cloud Security

With the increasing adoption of public cloud services by enterprises, the demand for isolated cloud tenants has become more common, driven by the need to meet security, privacy, and legal requirements.

Recently, I embarked on a new project for a financial industry client that required isolated tenants in Microsoft Azure to comply with federal regulations. To manage infrastructure at the tenant level, developers and administrators often rely on Terraform, an infrastructure-as-code tool. However, they face a challenge in scenarios where Terraform state files lack portability. To address this issue for isolated tenants, we are implementing a more modular approach to organizing these files. Instead of creating seven separate Terraform configuration files, we encourage writing one file and encapsulating it within modules.

Our client, as well as its banking customers, must adhere to strict banking regulations, necessitating complete isolation between each customer to ensure security. However, it is crucial to maintain uniformity across tenants. This can be achieved by modularizing common parameters in the Terraform code. Under this approach, a shared VNet or network is consistently utilized, and the base infrastructure remains relatively unchanged across subscriptions. By encapsulating the VNet in a module, along with separate modules for Dev, Prod, and the main configuration Terraform files, one can simply call the required modules for the desired environment. Additionally, deploying different subscriptions can be facilitated by creating a back-end module. Employing a single main configuration file, such as "," streamlines the process, allowing for easy invocation of the required modules.

Curious about Microsoft's approach to creating isolated tenants, I initially sought answers to this question. Consulting the relevant documentation shed light on the back-end processes. In the public cloud version of Microsoft Azure, dedicated instances of Azure Active Directory are provisioned for organizations upon registration. These Azure AD instances are logically isolated from one another to prevent unintentional or malicious data exchange. Azure AD operates on "bare metal" servers situated in a segregated network segment with host-level packet filtering and Windows Firewall, effectively blocking unwanted connections and traffic.

FREE Membership Required to View Full Content:

Joining gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here

About Jeff Christman

Jeff Christman is a distinguished Navy Veteran boasting more than two decades of expertise in the Information Technology sector. He possesses a specialized focus on cloud migration projects, having contributed his skills to prestigious organizations including Raytheon, AT&T, and NASA. Presently, he holds the position of Senior Cloud Security Consultant at a prominent consulting firm. Beyond his professional endeavors, Jeff is an accomplished author and educator, developing and publishing content and courses for renowned platforms such as,, and

Outside of his professional pursuits, Jeff enjoys engaging in fantasy football, exploring advancements in technology, and playfully teasing his teenage daughters.

More about Jeff Christman